<font color='black' size='2' face='Arial, Helvetica, sans-serif'>
<div>Folks,</div>
<div><br>
</div>
Not wanting to sound like the voice in the wilderness... but there is now a FreeBSD 8.x patch for stunnel to utilize the IP_BINDANY setsockopt. It does not work fully, only partly. The partly being the traffic looks like it's coming from the external IP address to the internal service, but the service cannot talk back on this IP address either because of network routing or because the kernel does not recognize the instruction to speak to the foreign address via proxy.
<div><br>
</div>
<div>http://www.FreeBSD.org/cgi/query-pr.cgi?pr=153568</div>
<div>http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/stunnel/files/patch-src::common.h?rev=1.8</div>
<div>http://www.freebsd.org/cgi/query-pr-summary.cgi?category=&severity=&priority=&class=&state=&sort=none&text=stunnel&responsible=roam&multitext=&originator=&closedtoo=on&release=</div>
<div><br>
</div>
<div>After testing numerous pf rules, I've come to the conclusion pf cannot produce the result. </div>
<div><br>
</div>
<div>
<div>nt_if="lo0"</div>
<div>ext_if="ed0" # 192.168.103.x</div>
<div>
<div>ext2_if="ed1" # 10.0.0.5</div>
</div>
<div><br>
</div>
<div style="clear:both"></div>
<div>rdr pass log inet proto tcp from 192.168.103.69 to $int_if port 80 -> $int_if</div>
<div>nat pass log inet proto tcp from 192.168.103.69 to $int_if port 80 -> $int_if</div>
<div><br>
</div>
<div>or</div>
<div><br>
</div>
<div>pass in log on $ext_if reply-to ($ext2_if 10.0.0.5) from 192.168.103.69 synproxy state</div>
<div><br>
</div>
<div>Neither of these methods rules work, but the first actually rewrites the source IP to the internal IP, thereby undoing the proxy function. The second creates a connection, but thus synchronizing the connection at pf, but actual network traffic is listed via tcpdump. </div>
<div><br>
</div>
<div>Another project seems to accomplish this goal via ipfw 'fwd' rules (<span class="Apple-style-span" style="font-family: monospace; white-space: pre; font-size: medium; ">IPFIREWALL_FORWARD</span>). </div>
<div><br>
</div>
<div><span class="Apple-style-span" style="font-family: Times; font-size: medium; "><pre style="margin-left: 6em; "># ipfw add 100 fwd 127.0.0.1,10025 tcp from not me to any 25</pre></span></div>
<div><br>
</div>
<div>http://thewalter.net/stef/software/clamsmtp/transparent.html </div>
<div><br>
</div>
<div><br>
</div>
<div style="font-family:helvetica,arial;font-size:10pt;color:black">-----Original Message-----<br>
From: oscaruser@programmer.net<br>
To: stunnel-users@mirt.net<br>
Sent: Wed, Dec 29, 2010 4:18 pm<br>
Subject: Re: [stunnel-users] Stunnel forwarding IP<br>
<br>
<div id="AOLMsgPart_3_248bcd8b-8351-4ac0-9891-5f6e43eecb8a">
<font color="black" size="2" face="Arial, Helvetica, sans-serif">[second sending of the same message]
<div><br>
</div>
<div>OK I see transparent configuration option, but looks only available for Linux. Tried on FreeBSD 7.3 amd64 and FBSD 8.1 amd64, with same result, "local_bind (original port): Can't assign requested address (49)". Apparently v8.1 supports <span class="Apple-style-span" style="white-space: pre; ">IP_BINDANY</span><span class="Apple-style-span" style="white-space: pre; "><span class="Apple-style-span" style="font-size: small;"> (man ip 8), but stunnel may not be using this feature (based on searching the stunnel-4.33 source code).</span></span><br>
<br>
<div style="clear:both"></div>
<br>
</div>
<div><br>
<br>
<div style="font-family:helvetica,arial;font-size:10pt;color:black">-----Original Message-----<br>
From: <a href="mailto:oscaruser@programmer.net">oscaruser@programmer.net</a><br>
To: <a href="mailto:stunnel-users@mirt.net">stunnel-users@mirt.net</a><br>
Sent: Wed, Dec 29, 2010 2:07 pm<br>
Subject: [stunnel-users] Stunnel forwarding IP<br>
<br>
<div id="AOLMsgPart_3_34f5c1fc-9796-48c4-bc4b-e62cc23a9ee5">
<font color="black" size="2" face="Arial, Helvetica, sans-serif">Folks,
<div><br>
</div>
<div>For my server daemon process, I am accepting incoming requests only from pre-seeded IP addrs. Using Stunnel, I am finding connecting IPs are '127.0.0.1' or localhost. Is there any configuration or solution to represent incoming IPs for the given file descriptor belonging to their originating IP addrs?</div>
<div><br>
</div>
<div>Thank you.<br>
<font class="Apple-style-span" face="monospace" size="3"><span class="Apple-style-span" style="font-size: 12px; white-space: pre;"><font class="Apple-style-span" face="Arial, Helvetica, sans-serif"><span class="Apple-style-span" style="white-space: normal; font-size: small;"><br>
</span></font></span></font></div>
</font></div>
</div>
</div>
</font>
</div>
<!-- end of AOLMsgPart_3_248bcd8b-8351-4ac0-9891-5f6e43eecb8a -->
<div id="AOLMsgPart_4_248bcd8b-8351-4ac0-9891-5f6e43eecb8a" style="margin: 0px;font-family: Tahoma, Verdana, Arial, Sans-Serif;font-size: 12px;color: #000;background-color: #fff;">
<pre style="font-size: 9pt;"><tt>_______________________________________________
stunnel-users mailing list
<a href="mailto:stunnel-users@mirt.net">stunnel-users@mirt.net</a>
<a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a>
</tt></pre>
</div>
<!-- end of AOLMsgPart_4_248bcd8b-8351-4ac0-9891-5f6e43eecb8a -->
</div>
</div>
</font>